docs consolidation and others

docs/security/README.md

@@ -0,0 +1,33 @@
+# Security, Risk & Governance
+
+Authoritative sources for threat models, governance, compliance, and security operations.
+
+## Policies & Governance
+- [SECURITY_POLICY.md](../SECURITY_POLICY.md) - responsible disclosure, support windows.
+- [GOVERNANCE.md](../GOVERNANCE.md) - project governance charter.
+- [CODE_OF_CONDUCT.md](../CODE_OF_CONDUCT.md) - community expectations.
+- [SECURITY_HARDENING_GUIDE.md](../SECURITY_HARDENING_GUIDE.md) - deployment hardening steps.
+- [policy-governance.md](./policy-governance.md) - policy governance specifics.
+- [LEGAL_FAQ_QUOTA.md](../LEGAL_FAQ_QUOTA.md) - legal interpretation of quota.
+- [QUOTA_OVERVIEW.md](../QUOTA_OVERVIEW.md) - quota policy reference.
+- [risk-profiles.md](../risk/risk-profiles.md) - organisational risk personas.
+
+## Threat Models & Security Architecture
+- [authority-threat-model.md](./authority-threat-model.md) - Authority service threat analysis.
+- [authority-scopes.md](./authority-scopes.md) - scope model.
+- [console-security.md](./console-security.md) - Console posture guidance.
+- [pack-signing-and-rbac.md](./pack-signing-and-rbac.md) - pack signing, RBAC guardrails.
+- [policy-governance.md](./policy-governance.md) - policy governance controls.
+- [rate-limits.md](./rate-limits.md) - rate limiting behaviour.
+- [password-hashing.md](./password-hashing.md) - credential storage.
+
+## Audit, Revocation & Compliance
+- [audit-events.md](./audit-events.md) - audit event taxonomy.
+- [revocation-bundle.md](./revocation-bundle.md) & [revocation-bundle-example.json](./revocation-bundle-example.json) - revocation process.
+- [license-jwt-quota.md](../license-jwt-quota.md) - licence/quota enforcement controls.
+- [QUOTA_ENFORCEMENT_FLOW.md](../QUOTA_ENFORCEMENT_FLOW.md) - quota enforcement sequence.
+- [OFFLINE_KIT.md](../OFFLINE_KIT.md) - tamper-evident offline artefacts.
+
+## Supporting Material
+- Module operations security notes: [authority/operations/key-rotation.md](../modules/authority/operations/key-rotation.md), [concelier/operations/authority-audit-runbook.md](../modules/concelier/operations/authority-audit-runbook.md), [zastava/README.md](../modules/zastava/README.md) (runtime enforcement).
+- [observability/policy.md](../observability/policy.md) - security-relevant telemetry for policy.

docs/security/dpop-mtls-rollout.md

@@ -22,7 +22,7 @@ _Last updated: 2025-11-07_
 ## Phase 3 · mTLS Binding (ETA 2025-11-10)
 - [x] Capture client cert thumbprint on `/token` (mutual TLS) and store in `authority_tokens.senderCertificate`.
 - [x] Validate cert hash on `/introspect` and `/fresh-auth`.
-- [ ] Document bootstrap/rotation in `docs/11_AUTHORITY.md` + `docs/security/dpop-mtls-rollout.md` (this file).
+- [ ] Document bootstrap/rotation in `docs/AUTHORITY.md` + `docs/security/dpop-mtls-rollout.md` (this file).
 
 ## Verification Matrix
 | Scenario | Test/Command | Expected |

docs/security/policy-governance.md

@@ -82,7 +82,7 @@
 
 - Trigger incident mode for determinism violations, backlog surges, or suspected policy abuse.
 - Capture replay bundles and run `stella policy run replay` for affected runs.
-- Coordinate with Observability dashboards (see `/docs/observability/policy.md`) to monitor queue depth, failures.
+- Coordinate with Observability dashboards (see `/docs/modules/telemetry/guides/policy.md`) to monitor queue depth, failures.
 - After resolution, document remediation in Lifecycle guide (§8) and attach to approval history.
 
 ---

docs/security/trust-and-signing.md

@@ -17,7 +17,7 @@ Guidance on DSSE/TUF roots, rotation, and signed time tokens.
 - In sealed mode, trust only bundled metadata; no remote refresh.
 
 ## Signed time tokens
-- Export signed time anchors (see `docs/airgap/staleness-and-time.md`):
+- Export signed time anchors (see `docs/modules/airgap/guides/staleness-and-time.md`):
   - Token fields: `issuedAt`, `notAfter`, `timeSource`, `signature`, `rootVersion`.
   - Validate offline against trust roots; expire strictly at `notAfter`.